OpenSDE
/
rocklinux
mirror of https://github.com/amery/rocklinux.git
2
0
Fork 0
Code Releases Wiki Activity
mirror of the now-defunct rocklinux.org
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2755 Commits
1 Branch
0 Tags
34 MiB
 
 
 
 
 
 
Tree: 4ba83f6d0e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4ba83f6d0e'
${ noResults }
rocklinux/package/base/pam/cvs-fixes.patch

530 lines
15 KiB
Raw Blame History

# --- ROCK-COPYRIGHT-NOTE-BEGIN ---
#
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
# Please add additional copyright information _after_ the line containing
# the ROCK-COPYRIGHT-NOTE-END tag. Otherwise it might get removed by
# the ./scripts/Create-CopyPatch script. Do not edit this copyright text!
#
# ROCK Linux: rock-src/package/base/pam/cvs-fixes.patch
# ROCK Linux is Copyright (C) 1998 - 2003 Clifford Wolf
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version. A copy of the GNU General Public
# License can be found at Documentation/COPYING.
#
# Many people helped and are helping developing ROCK Linux. Please
# have a look at http://www.rocklinux.org/ and the Documentation/TEAM
# file for details.
#
# --- ROCK-COPYRIGHT-NOTE-END ---
Some fixes from PAM cvs (checked out at 2003-05-03).
diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pam_unix/Makefile Linux-PAM/modules/pam_unix/Makefile
--- Linux-PAM-0.77/modules/pam_unix/Makefile 2001-02-11 07:33:53.000000000 +0100
+++ Linux-PAM/modules/pam_unix/Makefile 2003-01-14 06:43:07.000000000 +0100
@@ -41,8 +41,10 @@
########################################################################
-CFLAGS += $(USE_CRACKLIB) $(USE_LCKPWDF) $(NEED_LCKPWDF) $(EXTRAS)
-LDLIBS = $(EXTRALS)
+CFLAGS += $(USE_CRACKLIB) $(USE_LCKPWDF) $(NEED_LCKPWDF) $(EXTRAS) \
+ -I../pammodutil/include
+
+LDLIBS = $(EXTRALS) -L../pammodutil -lpammodutil
ifdef USE_CRACKLIB
CRACKLIB = -lcrack
diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c Linux-PAM/modules/pam_unix/pam_unix_passwd.c
--- Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c 2002-07-09 06:44:18.000000000 +0200
+++ Linux-PAM/modules/pam_unix/pam_unix_passwd.c 2003-01-14 06:43:07.000000000 +0100
@@ -88,7 +88,7 @@
*/
#ifdef NEED_LCKPWDF
-#include "./lckpwdf.-c"
+# include "./lckpwdf.-c"
#endif
extern char *bigcrypt(const char *key, const char *salt);
@@ -471,10 +471,7 @@
D(("called"));
- setpwent();
pwd = getpwnam(forwho);
- endpwent();
-
if (pwd == NULL)
return PAM_AUTHTOK_ERR;
@@ -544,6 +541,24 @@
if (save_old_password(forwho, fromwhat, remember)) {
return PAM_AUTHTOK_ERR;
}
+
+#ifdef USE_LCKPWDF
+ /*
+ * These values for the number of attempts and the sleep time
+ * are, of course, completely arbitrary.
+ *
+ * My reading of the PAM docs is that, once pam_chauthtok()
+ * has been called with PAM_UPDATE_AUTHTOK, we are obliged to
+ * take any reasonable steps to make sure the token is
+ * updated; so retrying for 1/10 sec. isn't overdoing it.
+ */
+
+ retval = lckpwdf();
+ if (retval != 0) {
+ return PAM_AUTHTOK_LOCK_BUSY;
+ }
+#endif /* def USE_LCKPWDF */
+
if (on(UNIX_SHADOW, ctrl) || (strcmp(pwd->pw_passwd, "x") == 0)) {
retval = _update_shadow(forwho, towhat);
if (retval == PAM_SUCCESS)
@@ -552,6 +567,10 @@
retval = _update_passwd(pamh, forwho, towhat);
}
+#ifdef USE_LCKPWDF
+ ulckpwdf();
+#endif /* def USE_LCKPWDF */
+
return retval;
}
@@ -563,9 +582,7 @@
int retval = PAM_SUCCESS;
/* UNIX passwords area */
- setpwent();
pwd = getpwnam(user); /* Get password file entry... */
- endpwent();
if (pwd == NULL)
return PAM_AUTHINFO_UNAVAIL; /* We don't need to do the rest... */
@@ -679,7 +696,7 @@
int argc, const char **argv)
{
unsigned int ctrl, lctrl;
- int retval, i;
+ int retval;
int remember = -1;
/* <DO NOT free() THESE> */
@@ -689,33 +706,12 @@
D(("called."));
-#ifdef USE_LCKPWDF
- /* our current locking system requires that we lock the
- entire password database. This avoids both livelock
- and deadlock. */
- /* These values for the number of attempts and the sleep time
- are, of course, completely arbitrary.
- My reading of the PAM docs is that, once pam_chauthtok() has been
- called with PAM_UPDATE_AUTHTOK, we are obliged to take any
- reasonable steps to make sure the token is updated; so retrying
- for 1/10 sec. isn't overdoing it.
- The other possibility is to call lckpwdf() on the first
- pam_chauthtok() pass, and hold the lock until released in the
- second pass--but is this guaranteed to work? -SRL */
- i=0;
- while((retval = lckpwdf()) != 0 && i < 100) {
- usleep(1000);
- }
- if(retval != 0) {
- return PAM_AUTHTOK_LOCK_BUSY;
- }
-#endif
ctrl = _set_ctrl(pamh, flags, &remember, argc, argv);
/*
* First get the name of a user
*/
- retval = pam_get_user(pamh, &user, "Username: ");
+ retval = pam_get_user(pamh, &user, NULL);
if (retval == PAM_SUCCESS) {
/*
* Various libraries at various times have had bugs related to
@@ -725,9 +721,6 @@
*/
if (user == NULL || !isalnum(*user)) {
_log_err(LOG_ERR, pamh, "bad username [%s]", user);
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return PAM_USER_UNKNOWN;
}
if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl))
@@ -737,9 +730,6 @@
if (on(UNIX_DEBUG, ctrl))
_log_err(LOG_DEBUG, pamh,
"password - could not identify user");
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return retval;
}
@@ -761,9 +751,6 @@
D(("prelim check"));
if (_unix_blankpasswd(ctrl, user)) {
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return PAM_SUCCESS;
} else if (off(UNIX__IAMROOT, ctrl)) {
@@ -773,9 +760,6 @@
if (Announce == NULL) {
_log_err(LOG_CRIT, pamh,
"password - out of memory");
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return PAM_BUF_ERR;
}
(void) strcpy(Announce, greeting);
@@ -795,9 +779,6 @@
if (retval != PAM_SUCCESS) {
_log_err(LOG_NOTICE, pamh
,"password - (old) token not obtained");
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return retval;
}
/* verify that this is the password for this user */
@@ -812,9 +793,6 @@
if (retval != PAM_SUCCESS) {
D(("Authentication failed"));
pass_old = NULL;
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return retval;
}
retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old);
@@ -867,17 +845,11 @@
if (retval != PAM_SUCCESS) {
_log_err(LOG_NOTICE, pamh, "user not authenticated");
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return retval;
}
retval = _unix_verify_shadow(user, ctrl);
if (retval != PAM_SUCCESS) {
_log_err(LOG_NOTICE, pamh, "user not authenticated 2");
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return retval;
}
D(("get new password now"));
@@ -908,9 +880,6 @@
,"password - new password not obtained");
}
pass_old = NULL; /* tidy up */
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return retval;
}
D(("returned to _unix_chauthtok"));
@@ -931,9 +900,6 @@
_log_err(LOG_NOTICE, pamh,
"new password not acceptable");
pass_new = pass_old = NULL; /* tidy up */
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return retval;
}
/*
@@ -974,9 +940,6 @@
_log_err(LOG_CRIT, pamh,
"out of memory for password");
pass_new = pass_old = NULL; /* tidy up */
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return PAM_BUF_ERR;
}
/* copy first 8 bytes of password */
@@ -998,6 +961,7 @@
retval = _do_setpass(pamh, user, pass_old, tpass, ctrl,
remember);
+
_pam_delete(tpass);
pass_old = pass_new = NULL;
} else { /* something has broken with the module */
@@ -1008,9 +972,6 @@
D(("retval was %d", retval));
-#ifdef USE_LCKPWDF
- ulckpwdf();
-#endif
return retval;
}
diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pam_unix/pam_unix_sess.c Linux-PAM/modules/pam_unix/pam_unix_sess.c
--- Linux-PAM-0.77/modules/pam_unix/pam_unix_sess.c 2000-12-20 06:15:05.000000000 +0100
+++ Linux-PAM/modules/pam_unix/pam_unix_sess.c 2003-01-14 06:43:07.000000000 +0100
@@ -53,6 +53,7 @@
#include <security/_pam_macros.h>
#include <security/pam_modules.h>
+#include <security/_pam_modutil.h>
#ifndef LINUX_PAM
#include <security/pam_appl.h>
@@ -71,6 +72,7 @@
char *user_name, *service;
unsigned int ctrl;
int retval;
+ const char *login_name;
D(("called."));
@@ -89,9 +91,12 @@
"open_session - error recovering service");
return PAM_SESSION_ERR;
}
- _log_err(LOG_INFO, pamh, "session opened for user %s by %s(uid=%d)"
- ,user_name
- ,PAM_getlogin() == NULL ? "" : PAM_getlogin(), getuid());
+ login_name = _pammodutil_getlogin(pamh);
+ if (login_name == NULL) {
+ login_name = "";
+ }
+ _log_err(LOG_INFO, pamh, "session opened for user %s by %s(uid=%d)",
+ user_name, login_name, getuid());
return PAM_SUCCESS;
}
diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pam_unix/support.c Linux-PAM/modules/pam_unix/support.c
--- Linux-PAM-0.77/modules/pam_unix/support.c 2002-09-23 19:33:22.000000000 +0200
+++ Linux-PAM/modules/pam_unix/support.c 2003-01-14 06:43:07.000000000 +0100
@@ -20,6 +20,7 @@
#include <security/_pam_macros.h>
#include <security/pam_modules.h>
+#include <security/_pam_modutil.h>
#include "md5.h"
#include "support.h"
@@ -107,36 +108,6 @@
return retval;
}
- /*
- * Beacause getlogin() is braindead and sometimes it just
- * doesn't work, we reimplement it here.
- */
-char *PAM_getlogin(void)
-{
- struct utmp *ut, line;
- char *curr_tty, *retval;
- static char curr_user[sizeof(ut->ut_user) + 4];
-
- retval = NULL;
-
- curr_tty = ttyname(0);
- if (curr_tty != NULL) {
- D(("PAM_getlogin ttyname: %s", curr_tty));
- curr_tty += 5;
- setutent();
- strncpy(line.ut_line, curr_tty, sizeof(line.ut_line));
- if ((ut = getutline(&line)) != NULL) {
- strncpy(curr_user, ut->ut_user, sizeof(ut->ut_user));
- curr_user[sizeof(curr_user) - 1] = '\0';
- retval = curr_user;
- }
- endutent();
- }
- D(("PAM_getlogin retval: %s", retval));
-
- return retval;
-}
-
/*
* set the control flags for the UNIX module.
*/
@@ -668,10 +639,17 @@
if (new != NULL) {
- new->user = x_strdup(name ? name : "");
+ const char *login_name;
+
+ login_name = _pammodutil_getlogin(pamh);
+ if (login_name == NULL) {
+ login_name = "";
+ }
+
+ new->user = x_strdup(name ? name : "");
new->uid = getuid();
new->euid = geteuid();
- new->name = x_strdup(PAM_getlogin()? PAM_getlogin() : "");
+ new->name = x_strdup(login_name);
/* any previous failures for this user ? */
pam_get_data(pamh, data_name, (const void **) &old);
diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pam_unix/support.h Linux-PAM/modules/pam_unix/support.h
--- Linux-PAM-0.77/modules/pam_unix/support.h 2002-07-11 07:43:51.000000000 +0200
+++ Linux-PAM/modules/pam_unix/support.h 2003-01-14 06:43:07.000000000 +0100
@@ -125,7 +125,6 @@
_pam_drop(xx); \
}
-extern char *PAM_getlogin(void);
extern void _log_err(int err, pam_handle_t *pamh, const char *format,...);
extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl
,int type, const char *text);
diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pam_wheel/pam_wheel.c Linux-PAM/modules/pam_wheel/pam_wheel.c
--- Linux-PAM-0.77/modules/pam_wheel/pam_wheel.c 2002-07-13 07:48:19.000000000 +0200
+++ Linux-PAM/modules/pam_wheel/pam_wheel.c 2003-01-14 06:43:07.000000000 +0100
@@ -43,6 +43,7 @@
#define PAM_SM_ACCOUNT
#include <security/pam_modules.h>
+#include <security/_pam_modutil.h>
/* some syslogging */
@@ -110,7 +111,7 @@
const char *use_group)
{
const char *username = NULL;
- char *fromsu;
+ const char *fromsu;
struct passwd *pwd, *tpwd;
struct group *grp;
int retval = PAM_AUTH_ERR;
@@ -142,7 +143,7 @@
}
fromsu = tpwd->pw_name;
} else {
- fromsu = getlogin();
+ fromsu = _pammodutil_getlogin(pamh);
if (fromsu) {
tpwd = getpwnam(fromsu);
}
diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pammodutil/Makefile Linux-PAM/modules/pammodutil/Makefile
--- Linux-PAM-0.77/modules/pammodutil/Makefile 2001-12-09 23:15:12.000000000 +0100
+++ Linux-PAM/modules/pammodutil/Makefile 2003-01-14 06:43:07.000000000 +0100
@@ -18,7 +18,8 @@
-DLIBPAM_VERSION_MINOR=$(MINOR_REL)
# all the object files we care about
-LIBOBJECTS = modutil_cleanup.o modutil_getpwnam.o modutil_getpwuid.o
+LIBOBJECTS = modutil_cleanup.o modutil_getpwnam.o modutil_getpwuid.o \
+ modutil_getlogin.o
# static library name
LIBSTATIC = $(LIBNAME).a
diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pammodutil/include/security/_pam_modutil.h Linux-PAM/modules/pammodutil/include/security/_pam_modutil.h
--- Linux-PAM-0.77/modules/pammodutil/include/security/_pam_modutil.h 2001-12-09 23:15:12.000000000 +0100
+++ Linux-PAM/modules/pammodutil/include/security/_pam_modutil.h 2003-01-14 06:43:08.000000000 +0100
@@ -15,7 +15,7 @@
* On systems that simply can't support thread safe programming, these
* functions don't support it either - sorry.
*
- * Copyright (c) 2001 Andrew Morgan <morgan@kernel.org>
+ * Copyright (c) 2001-2002 Andrew Morgan <morgan@kernel.org>
*/
#include <pwd.h>
@@ -30,4 +30,6 @@
extern void _pammodutil_cleanup(pam_handle_t *pamh, void *data,
int error_status);
+extern const char *_pammodutil_getlogin(pam_handle_t *pamh);
+
#endif /* _PAM_MODUTIL_H */
diff -x CVS -x '*cvs*' -ruN Linux-PAM-0.77/modules/pammodutil/modutil_getlogin.c Linux-PAM/modules/pammodutil/modutil_getlogin.c
--- Linux-PAM-0.77/modules/pammodutil/modutil_getlogin.c 1970-01-01 01:00:00.000000000 +0100
+++ Linux-PAM/modules/pammodutil/modutil_getlogin.c 2003-01-14 06:43:08.000000000 +0100
@@ -0,0 +1,71 @@
+/*
+ * $Id: cvs-fixes.patch,v 1.3 2003/05/18 06:06:14 clifford Exp $
+ *
+ * A central point for invoking getlogin(). Hopefully, this is a
+ * little harder to spoof than all the other versions that are out
+ * there.
+ */
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <utmp.h>
+
+#include "pammodutil.h"
+
+#define _PAMMODUTIL_GETLOGIN "_pammodutil_getlogin"
+
+const char *_pammodutil_getlogin(pam_handle_t *pamh)
+{
+ int status;
+ const char *logname, *curr_tty;
+ char *curr_user;
+ struct utmp *ut, line;
+
+ status = pam_get_data(pamh, _PAMMODUTIL_GETLOGIN,
+ (const void **) &logname);
+ if (status == PAM_SUCCESS) {
+ return logname;
+ }
+
+ status = pam_get_item(pamh, PAM_TTY, (const void **) &curr_tty);
+ if ((status != PAM_SUCCESS) || (curr_tty == NULL)) {
+ curr_tty = ttyname(0);
+ }
+
+ if ((curr_tty == NULL) || memcmp(curr_tty, "/dev/", 5)) {
+ return NULL;
+ }
+
+ curr_tty += 5; /* strlen("/dev/") */
+ logname = NULL;
+
+ setutent();
+ strncpy(line.ut_line, curr_tty, sizeof(line.ut_line));
+
+ if ((ut = getutline(&line)) == NULL) {
+ goto clean_up_and_go_home;
+ }
+
+ curr_user = calloc(sizeof(line.ut_user)+1, 1);
+ if (curr_user == NULL) {
+ goto clean_up_and_go_home;
+ }
+
+ strncpy(curr_user, ut->ut_user, sizeof(ut->ut_user));
+ curr_user[sizeof(line.ut_user)] = '\0';
+
+ status = pam_set_data(pamh, _PAMMODUTIL_GETLOGIN, logname,
+ _pammodutil_cleanup);
+ if (status != PAM_SUCCESS) {
+ free(curr_user);
+ goto clean_up_and_go_home;
+ }
+
+ logname = curr_user;
+
+clean_up_and_go_home:
+
+ endutent();
+
+ return logname;
+}